Re: [Freeipa-users] key + 2FA (password+OTP) is not working

Fri, 23 Sep 2016 02:11:33 -0700 

On Fri, 23 Sep 2016, Deepak Dimri wrote:

Hi Alexander,  I am using AWS to do a pilot on freeIPA & unfortunately
AWS does not provide fedora or centos as part of its freetier setup so
i have to live with ubuntu, redhat , suse etc.  I have same problem
with ubuntu and redhat though!

CentOS 7 is available and eligible for free tier:
https://aws.amazon.com/marketplace/pp/B00O7WM7QW



Just one basic question.. what are the steps i should be following to
make it work assuming i am trying on centos or fedora

Literally what you describe in your setup, except that 'passwod:pam'
seems to be broken in OpenSSH -- given that you are using PAM already
for password checks, removing :pam should just work. It works for me
with

Match Group twofa
  AllowGroups twofa
  AuthenticationMethods publickey,password publickey,keyboard-interactive

as the last statement in the sshd_config.

Sep 23 11:55:50 f24-master.ipa.ad.test sshd[2965]: debug3: 
monitor_child_preauth: method publickey: partial
...
Sep 23 11:56:07 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: 
sshpam_passwd_conv called with 2 messages
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: 
request received
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user 
query start
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user 
query end: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind 
start: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind 
end: success
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: 
response sent: Access-Accept
Sep 23 11:56:10 f24-master.ipa.ad.test audit[2965]: USER_AUTH pid=2965 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication 
grantors=pam_succeed_if,pam_sss acct="foobar" exe="/usr/sbin/sshd" 
hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: pam_sss(sshd:auth): 
authentication success; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.5.136 user=foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: PAM: password 
authentication accepted for foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: 
mm_answer_authpassword: sending result 1
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send 
entering: type 13
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: auth2_update_methods_lists: 
updating methods list after "password"
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug2: authentication 
methods list 0 complete
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: 
mm_request_receive_expect entering: type 102
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive 
entering
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: do_pam_account: 
called
Sep 23 11:56:12 f24-master.ipa.ad.test audit[2965]: USER_ACCT pid=2965 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_unix,pam_sss,pam_permit acct="foobar" exe="/usr/sbin/sshd" 
hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: do_pam_account 
pam_acct_mgmt = 0 (Success)
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send 
entering: type 103
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: Accepted password for foobar 
from 192.168.5.136 port 33466 ssh2
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug1: 
monitor_child_preauth: foobar has been authenticated by privileged process

The first line above says that publickey method was successful but not
enough to allow login (partial) because password is also required. The
client got a request to enter password+OTP value. As you can see the user is 
only
allowed to login with an OTP token.

$ ssh foobar@192.168.5.117
foobar@192.168.5.117's password: Last login: Fri Sep 23 11:49:17 2016 
-sh-4.3$ id
uid=903200044(foobar) gid=903200044(foobar) 
groups=903200044(foobar),903200046(twofa) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.3$ klist
Ticket cache: KEYRING:persistent:903200044:krb_ccache_Dk553LV
Default principal: foo...@ipa.ad.test

Valid starting       Expires              Service principal
09/23/2016 11:56:08  09/24/2016 11:56:08  krbtgt/ipa.ad.t...@ipa.ad.test

-sh-4.3$ ipa user-show foobar
 User login: foobar
 First name: Test
 Last name: Foo
 Home directory: /home/foobar
 Login shell: /bin/sh
 Principal name: foo...@ipa.ad.test
 Principal alias: foo...@ipa.ad.test
 Email address: foo...@ipa.ad.test
 UID: 903200044
 GID: 903200044
 User authentication types: otp
 Account disabled: False
 Password: True
 Member of groups: twofa, ipausers
 Kerberos keys available: True

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to